Create A Self-Signed SSL Certificate To Use With Apache

This is an article on Create A Self-Signed SSL Certificate To Use With Apache in Unix.

Normally web traffic (HTTP) is unencrypted i.e. it's passed around the network in plain text, so anyone with the right tools can view what's being transmitted. This is okay generally, but when we pass sensitive information like credit card information, passwords, nowadays even personal information & emails are important as they may be used to do identity theft, so even websites like Facebook & GMail use HTTPS by default.

HTTPS works by using SSL, which in turn uses asymmetric cryptography popularly known as public key cryptography. In public key cryptography, a public key and a private key are present, anything encrypted with the public key can only be decrypted with the corresponding private key and vice-versa. Although SSL uses public key cryptography a certificate is necessary, not for the functioning or to strengthen the encryption but to verify the owner of the certificate to be the person/organization they claim to be, so CAs (Certificate Authorities) sign your certificate so that other can trust you. See the image below, how GMail certificate is signed by Thwate.

In case, you just want to use SSL for web applications in your private network or organization, or just test using HTTPS with your application, you can self-sign the certificate and add the CA certificate to your browser's trusted list.

Generating The Private Key

We'll be using OpenSSL to generate the 2048 bit RSA private key using the Triple-DES algorithm. This is the CA's private key in the real world scenario.

Creating A Certificate Signing Request (CSR)

Now that we have the private key, we'll need to create a CSR and normally it is sent to a CA (Certificate Authority) like Versign or Thwate who will sign our certificate with their private key, but here we'll be self-signing the certificate.

Code:

[pradeep@home-desktop ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Mumbai
Locality Name (eg, city) [Newbury]:Matunga
Organization Name (eg, company) [My Company Ltd]:Go4expert
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:secure.go4expert.com
Email Address []:shabbir@go4expert.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Self-Signing The CSR

Now we can sign the CSR using the first created private key and we'll get a certificate, using this certificate will show an error/warning in your browser, which we'll see how to be fixed in the last step.